Tron Wallet Security Flaw Leaves Over 14,000 Wallets Vulnerable - Research

A significant security flaw has put in jeopardy more than 14,500 Tron cryptocurrency wallets, potentially exposing millions of dollars in assets to theft. This vulnerability, detailed by security firm AMLBot in a report shared with Cointelegraph, compromised 2,130 wallets in the last quarter of 2024 alone. These wallets hold approximately $31.5 million in digital assets.

The stealthy nature of this attack makes it particularly dangerous . Unlike conventional hacks that quickly drain funds, this exploit allows attackers to control wallets undetected. They block legitimate outbound transactions, effectively denying rightful owners access to their funds. Victims may unknowingly continue to deposit more assets, enriching the hackers without any awareness of the breach.

Mykhailo Tiutin, Chief Technology Officer at AMLBot, noted the difficulty victims face in understanding their wallets are compromised. An anonymous victim, fearing further targeting, shared how he deposited an additional 1,000 USDT into his wallet, unaware of its compromised status. If funds had been stolen outright, it would have been clear immediately.

Tron’s UpdateAccountPermission transaction is designed to bolster account security with features like multisig functionalities. It allows for assignment of specific roles to keys and setting thresholds for transaction authorization. However, this feature becomes a vulnerability when attackers access a private key. They can add their keys, meeting transaction thresholds and effectively locking out legitimate users.

Tiutin points out the lack of notification when a new key is added, leaving owners unaware of the breach until they initiate an outbound transaction. Even after discovering the issue, options for victims are limited. The immediate advice is to stop further deposits into the compromised wallet.

Sattvik Kansal, co-founder of Rome Protocol, highlighted the seriousness of the attack, noting the impossibility of recovering funds without the attacker’s private key. Tron has yet to respond to the incident.

The legitimate purpose of UpdateAccountPermission serves many roles. It enables shared account control, reduces unauthorized transactions, and aids decentralized governance by requiring multisignature approvals. Individual users benefit similarly by securing accounts with multiple keys.

Tron is not alone in facing misuse of blockchain functionalities. On Ethereum, essential functions such as "approve" and "permit" are frequently exploited in phishing scams, leading to substantial losses. Scam Sniffer, a security firm, reported $9.38 million lost to phishing scams in November 2024 alone, with significant amounts attributed to Ethereum.

The decline from previous loss figures suggests improvements in wallet security and better user education. Such measures are crucial in preventing phishing schemes.

Preventing exploitation of UpdateAccountPermission begins with securing private keys, which are essential for manipulating account permissions. Axel Leloup, lead security researcher at Dowsers, stressed the need for understanding Tron’s permission systems and conducting regular reviews. He advised securely storing private keys offline and avoiding sharing them with untrusted parties.

The anonymous victim's compromised wallet resulted from poor operational security, with his private key exposed in source code across devices. To further safeguard, Tiutin suggests limiting the amount of Tronix (TRX) in wallets and opting for wallets that allow USDT transactions without burning TRX, given the 100 TRX fee needed for the UpdateAccountPermission function.

For users of Ethereum and other blockchains, as phishing attacks become increasingly sophisticated, robust security measures remain critical to protecting digital assets.